Heartbleed–Internet Software should be polygamous

April 13, 2014

3 min read

The last few days the news has been all about the Heartbleed internet security vulnerability that may have helped hackers to access thousands of users passwords and security certificates from websites around the world. This is a serious issue that has affected Internet due to the fact that over two-thirds webservers (Apache and nginx) run the vulnerable version of OpenSSL. WSWS explains at the software level on how 5 lines of erroneous code by not including a memory bounds check has resulted in this bug.

If you look into the list of websites, services and devices affected by this bug in OpenSSL, you will spot many popular Linux & FreeBSD distros, companies, government departments and device manufacturers around the world. It is evident that all those organizations benefitted from reusing OpenSSL, freeing their resources to focus on newer innovations on their areas of expertise rather than reinventing the wheel. This is one of the big advantages of Open Source software.

While many used and benefitted from OpenSSL, only few donated money/resources to the OpenSSL foundation which maintains and improves the underlying code, there is only one full time engineer for OpenSSL. Many organizations were simply “freeloading”. I am sure the Heartbleed incident will help in future those good Samaritan engineers working in large software/device companies to convince their management to donate sufficient resources to improving Open Source projects that their businesses depend on.

Heartbleed has put the spotlight on one other important issue – the need for choice in the underlying software powering the Internet. Open Source software like Linux, Apache, PHP, Mozilla FireFox have done a great deal to software ecosystem and businesses around the world in the last two decades. At the same time, the world needs more choice. All our eggs can’t be in one basket (Open Source) however great & virtuous it may be. Monogamy is bad for any technology ecosystem, especially for a connected world & IOT. In recent months even Wikipedia has started to show decline in contributions and authors. There are numerous Open Source projects going on around the world and there can’t be sufficient resources available for all of them. This is where I see tremendous value that commercial software vendors like Microsoft, Oracle, SAP & Adobe bring to the table.

We have seen this week that the Internet never goes down, even if 2/3rd of servers in it which run Linux distros got affected it still chuckles along on those servers that run other software like Microsoft Windows or Apple OS X Server. This resilience is due to the underlying software powering the Internet being polygamous.

Let me be clear, I am not implying in any way one model of software development is better than other (Commercial software vs Open source). There is a place and need for both and for other models that will come in future.